Texas Security and Risk Management

6.0 Information Security

Copyright(c), 1995 - Management Analytics - All Rights Reserved

Texas Administrative Code 201.13(b) requires that each agency identify, classify and protect the automated files, data bases and applications for which it has ownership responsibility. Classifying information and the applications that function to process it is at the heart of identifying and selecting appropriate security and risk management practices. Each agency's security objectives must include maintaining information integrity and confidentiality and assuring the availability of critical information technology support services.

6.1 Authorized Use and Ownership of State Information Resources

STANDARD. All information and telecommunication resources leased or owned by the state and all time-sharing services billed to the state shall be used only to conduct state business except as otherwise provided by state law.

STANDARD. All computer software programs, applications, source code, object code, and documentation shall be deemed to be a work made for hire and is state property and shall be protected as such if developed either:

STANDARD. All computer software programs, applications, and documentation purchased for the use of the state is state property and shall be protected as such.

It is an infringement of state law and policy to copy proprietary software inviolation of a licensing agreement.


6.2 Goals: Confidentiality, Integrity, Availability

There are three general goals for information security: confidentiality, integrity, and availability.

Confidentiality means the system does not allow information to be disclosed to anyone who is not authorized to access it. Integrity means the system must not corrupt the information or allow any unauthorized malicious or accidental changes to it. Availability means the computer system keeps working efficiently and is able to recover quickly if a disaster occurs.

6.3 Confidentiality of Data and Systems

Confidential information requires special precautions to protect it from unauthorized or accidental access, disclosure, or dissemination. Automated information systems which process confidential information require adequate controls to safeguard against violating individual rights to privacy or endangering the public's health, welfare, or safety.

STANDARD. Confidential information shall be accessible only to personnel who are authorized by the owner on a strict "need to know" basis in the performance of their duties. Data containing any confidential information shall be readily identifiable and treated as such in its entirety.

STANDARD. When confidential or sensitive information from one agency is received by another agency in connection with the transaction of official business, the receiving agency shall maintain the confidentiality or sensitivity of the information in accordance with the conditions imposed by the providing agency.


6.4 Integrity of Data and Systems

In terms of volume, errors and omissions are the greatest causes of incorrect information processing.

STANDARD. Controls shall be established to ensure the accuracy and completeness of data. User management shall ensure that data comes from the appropriate source for the intended use.


6.5 Availability of Critical Data and Systems

State policy requires that each agency prepare a Contingency Plan that includes the procedures necessary to assure the continuation of vital agency operations in the event of a disaster. Each agency must identify and prioritize its critical applications. In the event of a disaster the agency must attempt to maintain the availability and continued operation of critical systems on a priority basis.

Each agency's Contingency Plan must outline the internal policies and procedures that are to be employed should a disaster occur. If the agency employs the services of a data center, it should coordinate the preparation of its Contingency Plan with that facility. The plan should be designed to assure the continued availability of critical applications. In the event of a disaster, critical applications should be maintained on a priority basis. The maintenance and operation of other systems is secondary to that of critical applications.

Critical applications include those systems whose loss or unavailability is unacceptable to the agency. The loss or unavailability of support services provided by these applications may adversely affect the public's health, safety, or welfare; the continuation of vital programs and services; or the fiscal or legal integrity of state operations.

Critical applications should be classified and prioritized in the following order:

6.6 Mechanisms: Accountability, Encryption, and Access Control

There are three types of mechanisms used to reach the information security goals of confidentiality, integrity, and availability.

Accountability mechanisms help trace violations or attempted violations of system security to the individuals who are responsible. Passwords and audit trails are accountability mechanisms.

Encryption is the transformation of usable information into unintelligible data using a key, or known formula. Unless the key is known to the reader, the confidentiality of the information is maintained.

Access controls limit the use of a system or an object (e.g. a file) on the system to authorized subjects (e.g. users).

6.7 User Accountability: Passwords

Properly implemented and managed, passwords will improve the likelihood that users are who they purport to be and that a users access can be controlled effectively. Passwords are an important deterrent to intrusion.

STANDARD. Except for public users of systems where such access is authorized, or for situations where risk analysis demonstrates no need for individual accountability of users, each user of a multiple-user automated system shall be assigned a unique personal identifier or user identification. User identification shall be authenticated before the system may grant that user access to automated information.

STANDARD. A user's access authorization shall be removed from the system when the user's employment is terminated or the user transfers to a position where access to the system is no longer required.


6.8 Password Controls

Personal passwords are used to authenticate a user's identity and to establish accountability. Access passwords are used to grant access to data and may be used where individual accountability is not required. Federal Information Processing Standard Publication 112 (FIPS PUB 112) specifies basic security criteria in the use of passwords to authenticate personal identity and data access authorization.

STANDARD. Systems which use passwords shall conform to the federal standard on password usage contained in the Federal Information Processing Standard Publication 112 (FIPS PUB 112), which specifies minimum criteria and provides guidance for selecting additional password security criteria when appropriate. A current password standard compliance document shall be maintained for each system which uses passwords, specifying the criteria to be met for the ten factors which address design, implementation, and use of access control systems as contained in the FIPS PUB 112 standard.


6.9 Audit Trails

All transactions should be auditable or traceable to their origin or source.

STANDARD. Audit trails shall be maintained to provide accountability for all accesses to confidential or sensitive information and software and for all changes to automated security or access rules. An auditable, continuous chain of custody shall record the transfer of confidential or sensitive information.

Automated chronological or systematic records of changes to data are important in the reconstruction of previous versions of the data in the event of corruption. Such records, sometimes referred to as journals, are useful in establishing normal activity, in identifying unusual activity, and in the assignment of responsibility for corrupted data.

STANDARD. A sufficiently complete history of transactions shall be maintained for each session involving access to confidential or sensitive information to permit an audit of the system by tracing the activities of individuals through the system.


6.10 System Audits

The establishment and maintenance of a system of internal control is an important management function. Internal audits of information resource management functions, including security of data and information technology resources, are an integral part of an overall security program. The frequency, scope, and assignment of internal audits for security of data and information technology resources should be established to ensure that agency management has timely and accurate information concerning functions management is responsible to perform.

STANDARD. Automated systems which process confidential or sensitive information must provide the means whereby authorized personnel have the ability to audit and establish individual accountability for any action that can potentially cause access to, generation of, or effect the release of the information.


6.11 Encryption

Encryption should be considered if the information in question warrants a high level of security and is to be electronically transmitted, stored, or removed from a secure area.

Encryption is the process of character substitution or transposition in a sequence determined by an encryption formula. Most encryption uses the Data Encryption Standard (DES) formula, which has been endorsed by the National Institute of Standards and Technology. Readable text is converted to unreadable text based on a security key provided by the owner of the information. Anyone examining an encrypted file would see a string of unrelated characters or symbols. The encryption process can be reversed only by someone who has the security key.

6.12 Access Controls

Authority to read, write, modify, update, or delete information from automated files or data bases should be established by the designated owners of the information. Individuals may be granted a specific combination of authorities. For example, an individual may be allowed to "read only" or to "read and write but not delete" data. Authority to read, write, modify, update, or delete data may be identified at the data element level. Specific access authority should be established at the time an individual is assigned a password.

STANDARD. Controls shall ensure that legitimate users of the computer cannot access stored software or data unless they have been authorized to do so.


6.13 Enforcement

Each agency should establish appropriate internal policies and procedures to protect all classes of information. Such policies and procedures should take into consideration applicable federal and state law. Once the agency's internal security policies and procedures have been established, they must be enforced. Only then will employees recognize that information security is significant and that it is a management priority. Employees who fail to observe security requirements should be subject to disciplinary measures.

Information access authority for each employee should be reviewed on a regular basis, as well as each time a transfer, promotion, or termination from service occurs. Access authority to information should be changed or terminated as appropriate.

Management should monitor the use of information. Questionable usage of files, data bases, or communication networks should be investigated. Seemingly innocuous occurrences, such as a minor string of unsuccessful login attempts or increased system usage, can indicate unauthorized or illegal activity.

6.14 Security Breaches

Any event which results in loss, disclosure, unauthorized modification, or unauthorized destruction of information resources constitutes a security incident or breach. The analysis of trends and types of security breaches is important to the integrity of the agency's security program. Security incident investigation provides a basis for a continuing evaluation of the agency information security posture. The objective of such analysis is to refine agency security policies, standards, and guidelines to assure their continued effectiveness and applicability.

STANDARD. Security breaches shall be promptly investigated. If criminal action is suspected, the agency must contact the appropriate local law enforcement and investigative authorities immediately. Laws governing the admissibility of evidence are very strict and without professional advice the agency may be jeopardizing possible legal actions.

6.15 Security Implications for System Development and Testing

STANDARD. The test functions shall be kept either physically or logically separate from production functions. Copies of production data shall not be used for testing unless the data has been declassified or unless all personnel involved in testing are otherwise authorized access to the data.

STANDARD. Appropriate information security and audit controls shall be incorporated into new systems. Each phase of systems acquisition shall incorporate corresponding development or assurances of security and auditability controls.

GUIDELINES. The following security (including audit) activities should be addressed at the appropriate phase in acquiring new information processing systems:

STANDARD. After a new system has been placed in operation, all program changes shall be approved before implementation to determine whether they have been authorized, tested, and documented.